BSides Glasgow 2018 - Jordan Schroeder - Can we be mature about this?

good morning everyone good morning my name is Jourdan Schroeder can we be mature about this the other presentation is how to kill people by using the internet and I can definitely understand why I talk about maturity models might not quite compete with that but what we'll we'll try to keep it at least interesting so that we few we we we precious few can have have some fun in the next next 45 minutes my this is the second time speaking at besides Scotland I'm very honored to be to be talking here again my previous talk was entitled how to get your users to give up sex for a year and I decided to switch things up

and talk about maturity hence my maturity suit I didn't want to be known as the sex guy professionally that's not gonna really work for me personally eyebrow waggle but I wanted to wanted to switch things up this this year my name is Jordan Schroeder by the way and some housekeeping right off the bat the accent Canadian that means if you can't understand what I'm saying just ask me to repeat myself and I'll apologize five times Who am I and what do I do well I've done a lot in security I am currently one of the moderators for information information security snack exchange there's another moderator here at these sites as well and if you're not

part of information security Stack Exchange please join we've got lots of lots of fun and games happening there I'm also the author of advanced persistent training how to take your security awareness program to the next level I've done a lot of other stuff in inventing programs for security awareness for phishing and developed the world's most advanced phishing engine as well so I keep my my hand and a lot of things in security but my career hasn't been entirely centered around security for instance I have been the I've picked some some highlights and in from my CV I've been a Coast Guard officer a stage actor and director a college department head a network head men for a major

network doing research into DDoS before it was known as DDoS I've been a day trader an undertaker a tax preparer and a dungeon master and when I present this list someone always raises their hand and wants to ask a question about one of the items on this list and let me just say when I say dungeon master that's the roll the dice neat pizza type of dungeon master not the whips and chains dungeon master and that's the one that everyone talks about all right so I've done all these things in security and I've had a outside of security within security but most recently I was presented with a very interesting job opportunity and I want to know what you would think and

how you would respond to such an offer the offer came to me as there is a deputy CSO position open for a university and colleges shared services that means that you would be in charge of security strategy for 20 universities and colleges all at the same time some of the universities are over 500 years old and represents some of the oldest parts of the internet and haven't been updated much some of the universities have multiple Class B IP IP addresses which means that every single node and a device within the network is given a publicly routable IP including printers servers user devices and student devices they have global campuses around the world and research partners in areas of

the world where a lot of other organizations was just simply a Geo IP address block just because they don't want to have to deal with the hassle and IIT is also not entirely centrally managed the core of it is but there's a lot of schools and separate research departments and other areas that are they run themselves and they just use the the school's IT infrastructure as base clean ISP no yeah they have ethical hacking programs so we're actually weaponizing the students in order to hack and cause problems on the on the on the network and one of the core features and one of the most critical things that the some of the universities do is

engage in sensitive research with significance to national security oh yes could you please prepare them for a cyber essential sentry TPR you're going to be the person who is ultimately responsible for the security strategy in these situations the service model that we're using where we'd lump everybody together and share information security strategy and leadership across such a large swath has never been tried before anywhere in the world and we consider this a greenfield opportunity which is codeword for we've not prepared anything please make it up as you go along show of hands how many of you would say yes to this opportunity whoo one brave two four four brave souls I was presented with this opportunity and one thing kept

running through my mind just one thing Gimli certainty of death small chance of success what are we waiting for so I joined the team under Chris Sutherland for those of you who don't know it's the man in red he was the lead see so and brought me into into the organization and so one of the things that we needed to do in being presented with these organizations with the challenges that I've just described is the same types of things we'd want to do if you were brought in as a security manager security leader I see so for a new organization how many of you know are having me have an idea of the two major high level goals that you would

want to accomplish within the first 60 days if you were dropped in as a security leader for an organization first 60 days what's the goals any ideas yeah that's a sub-goal yeah that's absolutely a sub-goal anybody else what do you want to do what do you want to need to be able to deliver what you want to be able to deliver within the first 60 days as soon as you've dropped into security leadership position is you need to be able to do an inventory and a baseline if you're interviewing these are the two things you want to be able to say you want to need to do an inventory not just of the things the devices the security canal

the security technologies and the people but you need to do an inventory of the risks you need to do an inventory of the processes you need to do an inventory of the decision-makers and then the real decision makers and then the things that you need to get done and and and the the goals of the organization broad inventory and then you need to do a baseline for the organization you need to figure out what's normal what's not normal and what the normal needs to be so an inventory and a baseline basic high level things baselining justice baselining for us for what we wanted to accomplish looked at two things fighting with the key we want to

take a look at two things risk analysis and controls assessment now the the risk analysis part I could do an entire presentation in that alone so I'm going to set that aside but suffice it to say that after the risk analysis we had a good understanding of the impacts to the data for the for the organization we then needed city to look at the control of assessment and baseline the controls pretty standard stuff nothing nothing too grand or glorious here but the challenge for us is that we needed to do it at scale we needed to develop a process to do a baseline across everybody times 20 so that means it needed to be fast it needed to be

comparable across all the different members and it also needed a result in actions this wasn't an academic exercise even though we were dealing with academic institutions this needed to result in something real for the organization just like we heard before with what we needed to produce needed to address their anxieties and it needed to communicate faith in the vision for what was to come and that was our goal and that was our challenge okay so the control assessments and this is where we employed a maturity model approach this is where we wanted to raise the maturity of all of our members but why maturity why were we focused on maturity we have the impact ratings for

the different data the data sets and the different risks we had those impact ratings and we had also identified the fragile assets and those are those those data assets and those those risks that hit a critical or sensitive level at really really low volumes were really really soon within the process so we have identified all these things we understood what the organization's risks were and we then need to baseline the controls in a cybersecurity risk context all right risk equals likelihood times impact how many of you have not seen this formula before raisins raisins raisins okay that hope that informs me as to how deep I need to go into this apparently not that deep we can catch up

afterwards and I can talk to you about this later all right risk equals likelihood impact yes there's some other some other formulas and some other ways of describing this but this is the basic one and I'll use this as the touchstone because everyone knows it is this a formula no this is a description of a relationship it happens to have an equal sign in it but it's not a formula I don't plug numbers into this even if they have decimal points and assume you're doing proper maths you're not it's just a description of a relationship it's a rule of thumb let's move on when we're doing a controls assessment we want a baseline we're not baselining the risks we're

baselining the mitigations the controls are mitigations against the risks right so if we want to if you want to assess the baseline of the firewalls firewalls is a mitigation right fine so then we bring in one of the adjustments to this formula which is risk equals likelihood times impact less than mitigations and this is known as what kind of risk thank you very much the residual risk the risk you have leftover after you have the mitigations so what we were interested in communicating and analyzing for our four institutions was what the residual risk was after the mitigations were in place and we wanted to know whether or not the mitigations were at the appropriate level to drop the residual risk to a

level that was appropriate for the organization that's what we wanted to do okay here's the problem I've done a lot of writing on this I've done a lots of presentations on this it has to do with the problem of likelihood what is the likelihood that you're going to get hit with a for instance a virus within the next two years probably pretty close to a hundred percent within the next two years sure what's the likelihood that your IDs is not going to catch something it's going to approach 100% no matter what the risk is in in when it comes to cybersecurity likelihood starts to approach a hundred percent really really really fast because it's not about the

technology it's about people it's about the attackers and it's about the people with any organizations that are doing work so what's the likelihood that a user is going to cause an error what's the likelihood that a user is going to circumvent do your technical controls we start to get we start the curve starts to reach pretty close to a hundred percent and it's basically just up to the will of the people involved to do or not do once you start running that calculation again the curve starts from you getting really really close to hundred percent how do you represent a hundred percent as an integer in a formula go for it one right that's how

you that's how you do the math with a hundred percent it's great what's 1 times any number any number right so where we could potentially just drop likelihood from the formula all together given the assumption that likelihood is pretty close we're equivalent to 1 which gives us with this formula boy I bet you're wishing you're at the death my internet right now I could go into the math lesson all right going through this quickly to understand why we're going through why we're going through maturity models so residual in the class a residual risk is impact minus the mitigations given the assumption that likelihood approaches it approaches 1 okay now what are mitigations let's talk about antivirus

solution that's great an antivirus solution is not negate mitigation it is a tool for mitigation how many of you heard this phrase you can't buy your way to security you can't just buy kit throw it in your network and who risks are mitigated nope security is a process which means that the mitigations are also a process so we wanted to do an assessment not on the technical mitigations not on that the kit because what you were there's not a lot of usefulness and you're not all usefulness in that we wanted to take a look at residual risk being a function of impact mitigated by process and process maturity now let's test this theory let's test this idea we can assume that

an immature process is going to be less effective against a risk as opposed to a mature process affecting a risk so the more mature the process is around the mitigation the higher the likelihood is that it's actually going to have a positive impact on reducing the residual risk so this is why we looked at maturity and this was Chris Sutherlands Chris Sutherlands approach and he's used this before and other in other high risk areas

back to the controls assessment missed CSF if you haven't seen it is a really really useful tool what we didn't want to do because remember one of the goals that we had is there our controls assessment needed to be and our baseline you need to be comparable across all the member institutions so we didn't want to have a situation where we would drop into an institution enumerate what they had and then try to compare that with what other people had we wanted to come in with a prescriptive list this is the things that you're we're going to compare you against and this cybersecurity framework it works really really well for this there are 98 cybersecurity activities in version one

just release version 1.1 this last week we got 98 cybersecurity activities and controls broken up on five different areas identify protect detect respond and recover how many of you have not run into the NIST cybersecurity framework how many of you don't know what this is Oh most of you know some of you don't all right so this is real it's just a list broken up by category and this is a really really great idea we love this one of the other things that this that the CSF can do is its mapable two other frameworks Maps exist to a whole bunch of other frameworks so if we had an organization that wanted to use ISO 27000 if they wanted to use cyber

essentials we could then map everything to this one master list and then from institution the institution we could also map against the same static list this worked really really well for us and this is an example of some of the some of the activities these are taken from different areas some of the descriptions get really long so I chose the really really short ones physical devices and systems our inventory this is the first on the framework I think it's probably the most important because if you don't know what you're protecting you don't know what you're protecting you've got all users are informed in trains so you've got a managerial type controls impact of events is determined

you've got these conceptual type controls and forensics are performed so you end very very technical things being listed in the framework as well so these are the types of things that we had now what we needed to do is to assign maturity levels to each one of these activities and this was fairly straightforward what we did is we took a look at the CMMI control maturity framework that's really well known for software development and I refined it for cybersecurity controls and this is what I came up with maturity level 0 it's not done there was one organization which caused me to come up with 0 because most everybody else did had was doing everything at least at some point there

were there was one organization where there was one thing where they just simply didn't do it so like luckily there was only that one instance so I had to include a zero not down maturity level one defined the process is defined by the individuals this is where either the the users do what they're supposed to do because they know they're supposed to do it or they care about it or there is a cybersecurity person who is tasked with this one thing and they just do it maturity level two the process is defined and important to the group or the team so everything is defined by the team which means that if one person isn't doing it someone else in the team

is going to fill that gap and there's some normalization of the processes within the team ok pretty standard 3 the process is defined by the organization and important to the organization at the add an organizational level okay so this is break it policies official policies and procedures and guidelines and and that sort of information defined at a high level push your to the organization to the rest of the organization the other thing that I put in here for maturity level 3 is if it is truly fully automated this is where you actually drop in kit and it just works and it does its thing in it it does it connects with everything else in order to do its job so if it was

fully automated maturity level 3 because it's basically the same type of ideas if the organization had defined it themselves maturity level 4 same as maturity level 3 except it is also audited it creates artifacts that are checked to make sure the process is working a maturity level 5 it is and improved its own improving cycle alright pre straightforward pretty clear haven't haven't blown anyone's mind alright lessons learned I'm halfway through and I'm already hopping on to the lessons learn stage but I wanted to do this here because there's there's a couple of reasons why because that'll become evident a second lessons learned about using maturity levels in order to assess security controls these were really really surprising to me and this

is one of the reasons why I wanted to do this presentation to pass this on to you by assessing by maturity levels ya get the strength and the simplicity of a checklist with a better reflection of reality do you have anti-virus check right we no one wants that no one wants that but there's power in knowing that yes we have antivirus solution but maturity level tells us yes we have antivirus solution and this is how we're using it we're using it this in this way the maturity levels and and and the numbers make it very very simple to assess and to communicate out the other thing that I have found in using maturity levels is

that evaluating controls on maturity levels is really really really difficult to argue with do you have an idea solution yes great who administers it I do great who else no one okay do you have is anyone else trained to do it no okay no problem but it's really really effective we've been able to catch this this this this this that's awesome that's great I'm really glad we're doing that that's a win for your organization that's maturity level one right because it's just you what happens if you get hit by bus Oh hmm and so invariably the conversation we go maybe I should train someone else in doing that great there was no argument about the level of

maturity because it's defined as reality it's not subjective as to effectiveness and it's not impinging upon their professional the professionalism of the people involved because it's not based on effectiveness this is the weakness of this model and the power we're not measuring the effectiveness of the controls we're measuring the effectiveness of the controls around the controls in order to boost the effectiveness of an ineffective mature control you typically need to make tiny tweaks because the Mitch process is mature enough to absorb them and move them forward successfully if you have an immature process and you need to make it more effective that's a really really really hard job so we're not measuring effectiveness we're still

measuring the maturity level effectiveness comes later talk about that all right so this is an example of my first report I walked in the organization within this CSF everything was great I had all the activities and I did all the interviews and I talked to people and I assigned the maturity levels we had funky discussions and everything was great really really frictionless and easy process to do those interviews because again we weren't talking about effectiveness came up with my levels and presented it in and I'm gonna give you an example in one institution they had senior executive and the director of IT presented this my full report came to this and here's your maturity assessment and the senior exec

freaked the hell out i I described it in my memory she started vibrating in her chair she starts looking at the director IV IT shooting daggers out of her eyes she's just starting to foam at the mouth she's looking at me with just like like complete despair him mad with complete anger and I'm like what's going on here and she's like I thought you told me that we were secure enough I'm like hey how did you get what she says there's no fives anywhere on this list there is no fives however it's a fair the amount of cost and effort to get everything I'm like whoa whoa whoa whoa time out time out time out

wait wait wait everything's not supposed to be a 5 they'd be great if everything was a 5 but that's not realistic because everything's not supposed to be a 5 she's like well what's it supposed to be I'm like but I've done this assessment to give to you so that you can assess what the appropriate level of maturity is to address your residual risks you you you you need to do that balance and she looked at me and said but how am I supposed to know how that works and I facepalm so hard that I bruised myself and I said fair point that's kind of my job isn't it this is let me come back I've got some ideas let me come

back so without what I realized is that my maturity cycle maturity cycle needed some maturing how many of you can name this TV character by the way how many of you can name that TV character yeah the other North American in the room can name the character was that North American Canadian trying to be broad it wasn't try to out your nationality gdpr come on ok so this is what I had I had the assessments I had the activities on I had the maturity and what I realized I needed a target maturity level for each activity what makes sense because as I said the first item physical devices and systems are inventoried is probably far

more important and far probably has a greater impact on risk then whether or not forensics are performed right because that's more foundational okay so so obviously things need to be different across the board so I started trying to figure out what the target maturity per activity is per organization and we're I'm doing this for 20 organizations I wanted to do the assessment based on the effect on the overall risk which is more important and sort of ranking them I also wanted to do I also wanted to adjust the mature at the target maturity levels based on the size of the organization there's a massive organization with a complex IT structure the maturity levels need to be greater

because there's a greater chance for things to fall through the cracks complexity means too many bad things can be hidden so the size of the organization boosts the target maturity level a smaller organization it's a lot harder to hide things and also I wanted to adjust it based on asset fragility if there were assets that the organization had that were so fragile that they could not withstand even the slightest hint of risk then the maturity levels also need to increase we need a crease to reduce the residual risk all right now to do this I was I needed to do this several times so I worked out an algorithm between all of these things to determine

what the level should be for each of the 96 I just wrote a simple script to do to employ that algorithm so great really really simple toss it into a spreadsheet Bob's your uncle this is the second version of my report now I have the activities I have my assess current level where they're at and then my suggestion for their target maturity level great now this makes sense I then go back to this organization and I talk to the senior exec and she's like oh well that that eases my anxieties okay this makes a lot more sense okay this is great I like numbers that are close together this is this is good this is good all right but what does it mean

that physical devices and systems are inventoried and it needs to be maturity level three and I'm like but that's what the maturity level things for is its defined by the organization and or automated oh but what does it actually look like I'm like huh please don't ask me to do this please don't ask me to do this please don't I'm going I'm gonna offer to do this anyway says tell you what why don't I come back right up what each of the maturity levels mean for each of these scenarios so then you know what you're what you're looking at she said that'd be great thanks I went so then I went back home and I started

working on for each of the maturity levels for each of the items what it would typically look like foreign or for an organization that's of course maturity level zero I didn't do anything introduced because it's not done that means five times 100 that was 500 scenario I wrote up for the report and this is what I ended up with this is like the first line for the fiscal inventory so maturity level 1 ad-hoc individual use of tools and processes maturity level 2 ad-hoc team and team use of tools and processes maturity level 3 automation and regular use of tools and processes with documentation backed by stablish guidelines entry to level 4 and audited maturity level 5 and audited and

systemic improvements based on kpi's tried to keep the language as generic as possible because there's really hoping to use the same thing a few times and that worked but not as often as I hoped there was a lot of writing to be done and rewriting and writing and editing was a big big chunk of work but I did it I got it all in I then plugged it into my report and so this is what it came back to the organization with and said great physical devices and systems are inventoried here at a level one you need to be level three and this is what level three looks like great she says lovely this makes a lot of sense yeah I can see

that here director of IT make that happen okay okay good good right we have buy-in everything makes sense I've spoken to the anxiety's I've they have faith in the process and at a gut level it makes sense beautiful according to Carter good communication and then I had a thought I'm going huh so this is being showed it to the senior execs that's great it's now being handed to director I T to be actioned remember the hope one of the things is that it needs to be actionable great that's lovely but I bet we've got a better idea here we I think I have I think I know how to improve this entire process what are the things

they should be tackling first there's a hundred items what are we talking first the things with the biggest gaps right if there's one and it's supposed to be a four that's a gap of three we should be doing those first right right sure great so in my report it should be really really simple to add a column a priority call I don't call them which is basically the target minus the current sort the entire thing by priority and guess what you get action plan an action plan that's based on the priority with a target with the target state this is what you should Emmet end up with which means it's really really easy for the director of

IT or the networking folks to implement because they know what it's supposed to look like from a procedural level yay so what did I end up creating I stepping back and on this whole thing I'm going wait a minute we started off with just trying to assess the control the baseline the controls based on maturity levels but what have I created I've could this is now looking very very different from what I started with well how do you ended up creating an is what I realized is a prescriptive process maturity requirement approach this is what you should look like and I had tool set to do it my little spreadsheet that I that I worked up had all the formulas in it and

had all the content you just needed to put in whatever the current assessment level was that's great so now we have a tool set and an approach it's not just an assessment approach but it's prescriptive this is why you should look like and then this is how you get there so the whole was looking a lot bigger than the sum of parts and it comes with a whole bunch of inherent bonuses including strategic executive exective x' watch the security strategy objective then in using this tool reaching an appropriate maturity level for each of your controls that becomes your security strategy it's got a built in gap analysis a built in action plan that's contained in a simple spreadsheet I

start getting so excited about this that I started socializing this with other people including the public sector here in Scotland and they're like this is brilliant we love this and so they started using it too all in all it was really really really effective in working with the organizations the entire thing is easy to understand at a gut level it's easy to communicate to senior management again we got numbers that are compared and prioritized and everything's great and in a gut level they can take a look at at the at the scenario it was what the levels look like and I go yeah sure that makes sense it's really is you start working on because it doesn't

rely on buying more yeah yes technology can help you fill in the gaps but that's only if you have a mature process that can handle the technology if you don't have the people and training and the bandwidth to handle the technology buying new technology isn't going to help so what the action plan doesn't result in and we need you to buy all of these things after an analysis and talking with them they come to a conclusion that yeah ok in order to make it to this maturity level we probably need to buy a couple more things okay that's great but my action plan didn't say that they said that as an assessment - in order to reach the goals this was a

huge win overall in speaking with the technicians the directors of eyeties and the senior executives the entire thing was frictionless and tension free and that was a huge surprise was a win for everybody involved but wait there's more I looked at the maturity level definitions because the reason I did this is because I'd done the assessments and people and people wanted to know what the target maturity looked like and so I created the five hundred to five hundred scenarios okay and then I went to a member institution for whom I had not done an assessment I'm going okay and like oh yeah I've got the I've got these scenarios so I started comparing what they've got

with my scenarios and then it hit me like a ton of bricks and a lightning rod and I went oh my god I totally missed this fact it's self assessable I didn't have to be involved because the scenarios were so defined and people weren't arguing with them and it wasn't subjective but objective based on what people were actually doing I could hand it the director of IT and said here do you want to do it you can do it you want me to do what I can do it but you can do it too I've had a couple directors I'm teasing yeah they'll be a lot simple for me to do it because it's all defined

here great and then one of the directors of IT said I could hand this to one of my schools that I don't control and get them to do it I'm like yeah that's brilliant do that that'd be perfect so in an embedded in all this is the fact that people can be doing this themselves and also more importantly they can repeat it on a quarterly yearly basis for whatever they need whatever they want so this was brilliant and then that one institution there's always one right was working with this one institution and they were probably the strangest of everyone in Scotland they have a really really really small IT team and they've been working together for 15 years

this means that nothing is documented nothing is documented not there's very few policies and procedures the very few guidelines because the team just knows what to do because they've been doing it for 15 years so I'm like okay of technically your maturity level is one but the organization is gaining a benefit of a much much much much higher maturity level so I crew added a column to my report called equivalent maturity the maturity level is one but the organization was gaining I'm a tree two level of four I'm like okay that's that's great but the organization needs to know about this disparity and so I added another column to see if there was an equivalent maturity and the

organization should know that the maturity level is at risk if the team changes or if the one person who has been doing that for ten years leaves the organization needs to know that there's going to be an impact does that mean the organization needs to do something right now in order to fix it no well typically what needs to happen it just needs to be some documentation and some cross training involved and that's that's it so it's a really really easy thing to to correct it just needs to be noted great so this meant that I've got a much much easier process for some of these older teams in these older organizations so after all of this and all these

iterations in my slowly maturing process and as soon as I stopped face bombing myself this is what my report now looks like the activity the currently assessed maturity level whatever the exceptional equivalent maturity levels are for the organization what I believe based on my algorithm with the target maturity level ought to be a priority which is a different which is the difference sorted by priority notes if if any of the maturity levels are at risk and then of course I didn't have those on this slide or else it'd be really tiny the description of what they what the target maturity state should be and this is really really really exciting because it was actionable workable and everybody

understood it all right summary why maturity because residual risk equals impact minus mitigations given that likelihood probably approaches one but mitigations aren't just KITT they're about people and they're about processes so let's assess the process maturity and what people people are doing around those mitigations maturity offers us the power of checklists without actually hiding reality and maturity levels are really really really really difficult to argue with and lastly a mature process is easily too easy to tweak to make more effective so we're not checking effectiveness we want to check the maturity effectiveness comes later what I created in this process is a prescriptive process maturity acquirement approach and toolset really really simple spreadsheet it is both

strategic tactical and risk informed it's got a built in action plan oops it's based on international standards Mis CSF and is mapped to multiple other frameworks out there it's scalable which means we can do the entire organization small parts or even an individual system and it's also self accessible if you want to do this if you want to do this it is really really simple here's your action plan take a look at NIST CSF version 1.1 just came out this week define what the different maturity levels look like right the scenarios define the target maturity levels for your organism do the assessment run a gap analysis and prioritize and you can get the same effect and the same ease and the same

benefits out of out of the situation as well any questions oh sure clock [Applause] yeah couple questions go ahead Paul no Kevin

oh absolutely I the question is with GDP art is the requirement for forensics does that need to be increased probably what that's going to look like in practice is going to be up to the ICO and and the capabilities here the grant organization you can't have a small mom-and-pop being able to do forensics if it's due care then that's a balancing question that needs to be done by per organisation but yeah GDP are and and and the required maturity level for each of these things is up to the organization yeah yeah and they mix in cyber central cyber essentials has a bunch of requirements they're mapable to this CSF and there are a couple things

if you just want to add them the the thing with cyber essentials is that it is prescriptive technical specifications so there are specific technical things that you need to that you need to be able to employ which means is not necessarily mapable to maturity but it ought to be but it's not alright I was anticipating this question my answer is no what you need to do is take a photo of this slide grab these grab the activities the current equivalent is done at assessment time you calculate the target based on your organization priority and at risk our simple spreadsheet formulas sort by priority had in the relevant descriptions into the spreadsheet Bob's your uncle I again

I'm just shocked at how effective this has been in raising the security standard and the strategy for our organizations all right we're down to questions any other questions yeah

yep sure I'm not talking with security professionals I'm the see so if I say likelihood approaches 100 percent or equivalent to 100 percent because the likelihood is completely undeterminable on calculable or over a two year time span because that's what's going to be required in order to put in other and mitigations it says it's going to operate approach like 100 percent which means it's one it's one I can have that debate with security professionals I've written papers and done a lot of presentations on this particular topic and I'm happy to talk about that and I can talk about that with authority is it it is a debate sure is it a useful debate no okay in the end

it's not a useful debate you want to say you want to tell me that because you want to debate the what the likelihood amount is that you want to reduce the maturity in a security process is that what you really want to tell me you really want to debate for Less security okay sure yes whiskey up here thank you thank you very much